Today marks the day when Google makes good on its new policy to reserve the right to delete inactive accounts after two years of inactivity. The company defines activity as “actions you take when you sign in or while you’re signed in to your Google Account”:
- Reading or sending an email
- Using Google Drive
- Watching a YouTube video
- Sharing a photo
- Downloading an app
- Using Google Search
- Using Sign in with Google to sign in to a third-party app or service
The move has been largely praised by cybersecurity experts, as Patrick Tiquet, VP of security & compliance at Keeper Security noted:
“Inactive accounts can present significant cybersecurity risks, as these accounts may retain weak or unchanged passwords, creating vulnerabilities for unauthorised access and potential misuse by cybercriminals for phishing attacks or data exposure.
And Colin Little, security engineer at Centripetal agreed:
In any digital environment, inactive “clutter” equates to some level of risk. Inactive and legacy email accounts in particular are at higher risk since many are likely before the time of MFA, geo-location profiles, and other contemporary security controls. Therefore, if an inactive and legacy account suddenly becomes active, not only is the original user of that account unaware but Google themselves have no way of knowing if that activity is the authorised user or an unauthorised user abusing that account. Furthermore, because these inactive accounts predate contemporary security controls, Google has no mechanism by which to stop unauthorised access. Since it’s common for user email addresses to be used to sign up for third-party services, and those third party services to be breached and have email/password combinations stolen, the risk I foresee is for accounts that have been inactive for months or even years to suddenly become active again and abused by bad guys, or to have the contents of that email account which may contain sensitive information accessed and stolen by cyber criminals.”
Ben Hutchison, associate principal security consultant at the Synopsys Software Integrity Group likened maintaining inactive accounts to not replacing the old, cracked windows on your property. He continued, “Compromising one account may lead to a cascade if the account compromised enables access to other platform services, the user reuses their password for other accounts or in the specific case of email compromise, providing attackers with the opportunity to abuse account reset workflows for other systems/services in combination with compromised credentials in the hope that the compromised account is linked to one of these, leading to further eventual takeovers.”
“In the past people have often used free services such as google to create throw away email addresses rather than using their personal ones. Those mailboxes are maybe used for one specific task and then forgotten about. This takes up resources on Googles platform but also have other potential risks.
- They usually have terrible passwords, maybe the same password as their regular google email account and other online services they use.
- They rarely have 2fa enabled.
- The emails in these mailboxes, whether sent or received, may contain sensitive information about the real user who created them.
- They can be used to launch phishing scams, malware and account takeover attacks.
“This does make them a great target for threat actors, so Google should be commended for “cleaning house”. There will likely be some loss of data for some individuals, but from a security perspective it does certainly make sense.”
Another issue is that of impersonation leading to sophisticated social engineering attacks. “Aside from shared authentication, one of the most dangerous aspects of compromised dormant accounts is that of imitation,” explained Brian Higgins, Security Specialist at Comparitech. “With access to contacts and old email conversations it is very easy to create a credible and believable message purporting to be from the account owner to defraud or extort money. Depending on the nature of the account it may store financial or business information which would further allow malicious actors to commit crimes.”
He continued: “It is widely agreed good cyber hygiene to ‘weed’ accounts etc. in this manner to mitigate all of these vulnerabilities but most established platforms have no protocol as this issue wasn’t considered at launch. It is estimated that by 2050 there will be more dead people than live account holders on Facebook, and the only person able to delete a Twitter/X account is the holder, so coupled with the server resource needed to maintain an account base as large as Google it makes sense from a sustainability perspective for all big tech to investigate ways to remove inactive users.”